Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
857dcd6c
Commit
857dcd6c
authored
Jun 09, 2017
by
Michael Kozono
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Change encryption description
parent
e0fe3477
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
16 additions
and
11 deletions
+16
-11
doc/administration/auth/ldap.md
doc/administration/auth/ldap.md
+16
-11
No files found.
doc/administration/auth/ldap.md
View file @
857dcd6c
...
@@ -278,6 +278,19 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for
...
@@ -278,6 +278,19 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for
themselves, they should check that their GitLab email address matches their
themselves, they should check that their GitLab email address matches their
LDAP email address, and then sign into GitLab via their LDAP credentials.
LDAP email address, and then sign into GitLab via their LDAP credentials.
## Encryption
### TLS Server Authentication
There are two encryption methods,
`simple_tls`
and
`start_tls`
.
For either encryption method, if setting
`validate_certificates: false`
, TLS
encryption is established with the LDAP server before any LDAP-protocol data is
exchanged but no validation of the LDAP server's SSL certificate is performed.
>**Note**: Before GitLab 9.5, `validate_certificates: false` is the default if
unspecified.
## Limitations
## Limitations
### TLS Client Authentication
### TLS Client Authentication
...
@@ -287,14 +300,6 @@ You should disable anonymous LDAP authentication and enable simple or SASL
...
@@ -287,14 +300,6 @@ You should disable anonymous LDAP authentication and enable simple or SASL
authentication. The TLS client authentication setting in your LDAP server cannot
authentication. The TLS client authentication setting in your LDAP server cannot
be mandatory and clients cannot be authenticated with the TLS protocol.
be mandatory and clients cannot be authenticated with the TLS protocol.
### TLS Server Authentication
Not supported by GitLab's configuration options.
When setting
`method: ssl`
, the underlying authentication method used by
`omniauth-ldap`
is
`simple_tls`
. This method establishes TLS encryption with
the LDAP server before any LDAP-protocol data is exchanged but no validation of
the LDAP server's SSL certificate is performed.
## Troubleshooting
## Troubleshooting
### Debug LDAP user filter with ldapsearch
### Debug LDAP user filter with ldapsearch
...
@@ -334,9 +339,9 @@ tree and traverse it.
...
@@ -334,9 +339,9 @@ tree and traverse it.
### Connection Refused
### Connection Refused
If you are getting 'Connection Refused' errors when trying to connect to the
If you are getting 'Connection Refused' errors when trying to connect to the
LDAP server please double-check the LDAP
`port`
and
`
method
`
settings used by
LDAP server please double-check the LDAP
`port`
and
`
encryption
`
settings used by
GitLab. Common combinations are
`
method
: 'plain'`
and
`port: 389`
, OR
GitLab. Common combinations are
`
encryption
: 'plain'`
and
`port: 389`
, OR
`
method: 'ssl
'`
and
`port: 636`
.
`
encryption: 'simple_tls
'`
and
`port: 636`
.
### Troubleshooting
### Troubleshooting
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment